User Added To Admin Group Via Sysadminctl
Detects attempts to create and add an account to the admin group via "sysadminctl"
Sigma rule (View on GitHub)
1title: User Added To Admin Group Via Sysadminctl
2id: 652c098d-dc11-4ba6-8566-c20e89042f2b
3related:
4 - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
5 type: obsolete
6status: test
7description: Detects attempts to create and add an account to the admin group via "sysadminctl"
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
10 - https://ss64.com/osx/sysadminctl.html
11author: Sohan G (D4rkCiph3r)
12date: 2023-03-19
13tags:
14 - attack.initial-access
15 - attack.privilege-escalation
16 - attack.t1078.003
17logsource:
18 category: process_creation
19 product: macos
20detection:
21 selection:
22 # Creates and adds new user to admin group
23 Image|endswith: '/sysadminctl'
24 CommandLine|contains|all:
25 - ' -addUser '
26 - ' -admin '
27 condition: selection
28falsepositives:
29 - Legitimate administration activities
30level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
sysadminctl Administer system user accounts. sysadminctl can be used to change user passwords, create new users (including automatically provisioning the user home folder) or to check the status of...
Read More
Related rules
- User Added To Admin Group Via Dscl
- User Added To Admin Group Via DseditGroup
- AWS Suspicious SAML Activity
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address